b'September 26, 2003\nAudit Report No. 03-044\n\n\nThe Federal Deposit Insurance\nCorporation\xe2\x80\x99s Progress in Implementing\nthe Gramm-Leach-Bliley Act, Title V --\nPrivacy Provisions\n\x0c                           TABLE OF CONTENTS\n\nBACKGROUND\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..2\n\n     Subtitle A of GLBA Title V\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6...2\n     Subtitle B of GLBA Title V\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6...3\n     Other Sections of GLB A Title V\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...4\n     FDIC Rules and Regulations\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...4\n     DSC\'s Approach for Examining Standards for Safeguarding\n     Customer Information\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa65\n     DSC\'s Approach for Examining Privacy Notice Requirements\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...7\n\nRESULTS OF EVALUATION\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa68\n\nFINDINGS AND RECOMMENDATIONS\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..10\n\nFINDING A: FDIC\'S PROGRESS IN IMPLEMENTING GLBA\nTITLE V -- PRIVACY PROVISIONS\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..10\n\n     FDIC Rules and Regulations and FDIC Procedures that Address\n     GLBA Title V Provisions\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..10\n     Internal Quality Assurance Review of the Privacy\n     Examination Process\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.12\n     DSC Views on Financial Institutions\' Compliance with GLBA\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.13\n\nFINDING B: DSC\'S EXAMINATION PROCEDURES FOR GLBA\nTITLE V -- PRIVACY\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa615\n\n     Subtitle B - Fraudulent Access to Financial Information\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa615\n     Procedures for Examining Standards for Safeguarding\n     Customer Information\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa617\n\nCONCLUSIONS AND RECOMMENDATIONS\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.22\n\nCORPORATION COMMENTS AND OIG EVALUATION\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa622\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..24\n\nAPPENDIX II: ACRONYMS USED IN REPORT\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.27\n\nAPPENDIX III: SUMMARY CROSSWALK OF GLBA TITLE V PROVISIONS TO\nFDIC RULES AND REGULATIONS AND FDIC PROCEDURES\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.........................28\n\nAPPENDIX IV: CORPORATION COMMENTS.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.38\n\x0cAPPENDIX V: MANAGEMENT RESPONSES TO RECOMMENDATIONS............\xe2\x80\xa6.41\n\nTABLES:\nTable 1: Technology Types and IT Examination Procedures\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa67\n\nTable 2: FDIC Rules, Guidance, and Implementing Procedures for Major\nGLBA Title V -- Privacy Provisions \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa611\n\nTable 3: DSC Action Plan Items\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...12\n\nTable 4: Interagency Procedures - Categories and Key Questions\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..18\n\nTable 5: References to the Standards for Safeguarding Customer Information\nin the IT General Work Program "Help" Section\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa619\n\nTable 6: Example of GLBA-Related Examination Procedures\nthat Do Not Reference GLBA\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...20\n\nTable 7: DSC\'s Guidelines on GLBA Reporting\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6....21\n\x0cFederal Deposit Insurance Corporation                                                                            Office of Audits\nWashington, D.C. 20434                                                                              Office of Inspector General\n\n\n   DATE:                                September 26, 2003\n\n\n\n\n   FROM:                                Russell A. Rau\n                                        Assistant Inspector General for Audits\n\n   SUBJECT:                             The Federal Deposit Insurance Corporation\xe2\x80\x99s Progress in\n                                        Implementing the Gramm-Leach-Bliley Act, Title V -- Privacy\n                                        Provisions (Report No. 03-044)\n\n   This report presents the results of our evaluation of the Federal Deposit Insurance Corporation\xe2\x80\x99s\n   (FDIC) implementation of the Gramm- Leach-Bliley Act of 1999 1 (GLBA), Title V -- Privacy\n   provisions. Congress enacted several privacy provisions in the GLBA in response to concerns\n   about the growing inability of consumers to control access to their personal financial\n   information, namely, GLBA, Title V -- Privacy, Subtitle s A and B. These privacy provisions\n   created new requirements for various federal and state regulatory agencies and financial\n   institutions. Congress continues to emphasize the importance of consumer privacy as\n   demonstrated by recent hearings covering the topics of identity theft and obligations regarding\n   disclosures of personal information. 2\n\n   The objective of our evaluation was to determine whether the FDIC has made reasonable\n   progress in implementing the GLBA, Title V privacy provisions. Specifically, we reviewed\n   actions that the FDIC\xe2\x80\x99s Division of Supervision and Consumer Protection (DSC)3 has taken to\n   implement the Title V provisions of GLBA. This evaluation addresses both Subtitle A \xe2\x80\x93\n   Disclosure of Nonpublic Personal Information, 4 and Subtitle B \xe2\x80\x93 Fraudulent Access to Financial\n\n   1\n     Pub. L. No. 106-102, codified to titles 12 and 15, United States Code (U.S.C.). The privacy provisions of the Act\n   are codified at 15. U.S.C., \xc2\xa7\xc2\xa7 6801 \xe2\x80\x93 6827 and 1681s.\n   2\n     U.S. Senate Committee on Banking, Housing, and Urban Affairs conducted hearings in June 2003: (1) \xe2\x80\x9cThe\n   Growing Problem of Identity Theft and Its Relationship to the Fair Credit Reporting Act\xe2\x80\x9d (June 19, 2003); and\n   (2) \xe2\x80\x9cAffiliate Sharing Practices and Their Relationship to the Fair Credit Reporting Act\xe2\x80\x9d (June 26, 2003).\n   3\n     The FDIC\xe2\x80\x99s DSC, in conjunction with other federal and state regulators, examines financial institutions to ensure\n   they are conducting business in compliance with consumer protection rules and in a way that minimizes risk to their\n   customers and to the deposit insurance funds. There are five categories of examinations: Safety and Soundness,\n   Community Reinvestment Act, Compliance, Information Technology, and Trust.\n   4\n     Subtitle A defines nonpublic personal information as personally identifiable financial information that an\n   institution obtains under any of the following three sets of circumstances: (1) the consumer (see definition in\n   footnote 5) provides the information to the institution to obtain a financial product or service; (2) the information is\n   about the consumer and results from any transaction involving a financial product or service between the institution\n   and the consumer; or (3) the information is about the consumer and is otherwise obtained in connection with\n   providing a financial product or service to that consumer.\n\n\n                                                              1\n\x0cInformation. For purposes of this report, we generally refer to topics of \xe2\x80\x9csafeguarding customer 5\ninformation\xe2\x80\x9d and \xe2\x80\x9cprivacy notice requirements\xe2\x80\x9d rather than the specific section numbers within\nthe GLBA. The DSC reviews financial institutions\xe2\x80\x99 compliance with: (1) GLBA provisions on\nsafeguarding customer information as part of DSC\xe2\x80\x99s information technology (IT) examinations\nand (2) GLBA privacy notice requirements through compliance examinations.\n\nDetails of our objective, scope, and methodology are included as Appendix I of this report.\nAppendix II lists acronyms used in this report.\n\n\nBACKGROUND\n\nIn addition to reforming the financial services industry, the GLBA addressed concerns relating to\nconsumer financial privacy. Title V of the GLBA established major privacy provisions under\ntwo subtitles \xe2\x80\x93 A and B. Subtitle A provides a mechanism to protect the confidentiality of a\nconsumer\xe2\x80\x99s nonpublic personal information. Subtitle B prohibits \xe2\x80\x9cpretext calling,\xe2\x80\x9d which is a\ndeceptive practice used to obtain information on the financial assets of consumers. Criminal\npenalties and regulatory and administrative enforcement mechanisms are established to help\nprevent this practice. Appendix III of this report provides a summary \xe2\x80\x9ccrosswalk\xe2\x80\x9d of GLBA\nTitle V provisions to FDIC rules and regulations and DSC examination procedures.\n\nSubtitle A of GLBA Title V\n\nIn Subtitle A of GLBA Title V, Congress established requirements for financial institutions and\nregulatory agencies to protect the privacy of nonpublic personal information obtained by\nfinancial institutions.\n\n         Financial Institution Responsibilities: Section 501(a) of Subtitle A, states: \xe2\x80\x9cIt is the\n         policy of the Congress that each financial institution has an affirmative and continuing\n         obligation to respect the privacy of its customers and to protect the security and\n         confidentiality of those customers\xe2\x80\x99 nonpublic personal information.\xe2\x80\x9d Section 502 applies\n         this policy by generally prohibiting financial institutions from disclosing consumers\xe2\x80\x99\n         nonpublic personal information to any entity that is not an affiliate 6 of, or related by\n         common ownership or control to, the financial institution (nonaffiliated third party),\n\n\n\n\n5\n  Subtitle A uses the t erms \xe2\x80\x9ccustomer\xe2\x80\x9d and \xe2\x80\x9cconsumer\xe2\x80\x9d in different sections. \xe2\x80\x9cCustomer\xe2\x80\x9d is not statutorily defined,\nalthough \xe2\x80\x9ccustomer relationship\xe2\x80\x9d is described in a definition which, in part, refers to regulations which the financial\nbanking regulators were to draft. In those regulations, the federal banking regulators defined \xe2\x80\x9ccustomer\xe2\x80\x9d to mean a\n\xe2\x80\x9cconsumer\xe2\x80\x9d who has established a \xe2\x80\x9ccustomer relationship\xe2\x80\x9d with the financial institution. \xe2\x80\x9cConsumer\xe2\x80\x9d is defined in\nGLBA Section 509 as an individual (or legal representative) who obtains, from a financial institution, financial\nproducts or services which are to be used primarily for personal, family, or household purposes. \xe2\x80\x9cCustomer\nrelationship\xe2\x80\x9d is defined in the regulations as a continuing relationship between a consumer and the financial\ninstitution which provided such financial products or services. As a general rule, in this report, we will use\n\xe2\x80\x9cconsumer\xe2\x80\x9d unless, in the particular context, \xe2\x80\x9ccustomer\xe2\x80\x9d would be more appropriate.\n6\n  Under Subtitle A, the term \xe2\x80\x9caffiliate\xe2\x80\x9d means any company that controls, is controlled by, or is under common\ncontrol with another company.\n\n\n                                                           2\n\x0c         unless the consumer is given an opportunity to opt out 7 of such disclosure. Such an\n         opportunity is provided under Section 503, which states that financial institutions must\n         provide consumers with privacy notices that include an explanation of the institution\xe2\x80\x99s\n         policies and practices for disclosing and protecting the privacy of nonpublic personal\n         information.\n\n         Regulatory Agency Responsibilities: Subtitle A requires various federal8 and state\n         regulators to establish standards for financial institutions relating to the safeguarding of\n         customer information (Section 501(b)) and to implement those standards, in the same\n         manner, to the extent practicable, \xe2\x80\x9cas standards prescribed pursuant to section 39(a) of\n         the Federal Deposit Insurance Act are implemented pursuant to such sections\xe2\x80\x9d\n         (Sections 505(a) 9 and 505(b)). 10 In addition, the federal regulators are required to\n         prescribe regulations (Section 504) governing the disclosure of customer information to\n         nonaffiliated third parties.\n\nSubtitle B of GLBA Title V\n\nSubtitle B of GLBA Title V makes it a federal crime to obtain customer information through\nfraudulent means (Section 521). It is also a violation of Section 521 \xe2\x80\x9cfor any person to obtain or\nattempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person,\xe2\x80\x9d\ncustomer information through fraudulent means or to solicit someone to obtain such information\nthrough fraudulent means. Subtitle B provides for both criminal penalties and civil\nadministrative remedies through the Federal Trade Commission (FTC) and enforcement by\nfederal banking regulators. 11 Subtitle B places the primary responsibility for enforcing the\nsubtitle\xe2\x80\x99s provisions with the FTC. However, with respect to financial institutions, the federal\nbanking regulators are required to enforce Subtitle B provisions in accordance with Section 8 of\nthe Federal Deposit Insurance (FDI) Act and may rely on other statutory enforcement authorities\nthe federal banking regulators possess.\n\nSection 525 of Subtitle B requires each federal banking regulator to \xe2\x80\x9creview regulations and\nguidelines applicable to financial institutions under their respective jurisdictions\xe2\x80\x9d and to\n\xe2\x80\x9cprescribe such revisions to such regulations and guidelines as may be necessary to ensure that\nsuch financial institutions have policies, procedures, and controls in place to prevent the\n\n\n7\n  A consumer\xe2\x80\x99s direction to a financial institution that it not disclose his or her nonpublic personal information to a\nnonaffiliated third-party.\n8\n  The federal regulators responsible for issuing Subtitle A regulations are the Board of Governors of the Federal\nReserve System, the FDIC, Federal Trade Commission, National Credit Union Administration, Office of the\nComptroller of the Currency, Office of Thrift Supervision, Secretary of the Department of the Treasury, Commodity\nFutures Trading Commission, and the Securities and Exchange Commission.\n9\n  Under Section 505(a), federal banking regulators are to enforce the provisions of Subtitle A and related regulations\nin accordance with Section 8 of the Federal Deposit Insurance Act (FDI Act) (12 U.S.C. \xc2\xa7 1818), which contains\nsuch enforcement mechanisms as a cease and desist order and civil money penalties. Other statutory enforcement\nprovisions apply in the case of the other federal and state regulators.\n10\n   Under Section 505(b), federal banking regulators are to implement Section 501(b) standards in the same manner,\nto the extent practicable, as standards prescribed pursuant to Section 39(a) of the FDI Act (12 U.S.C. \xc2\xa71831 p-1(a)).\n11\n   For this report, federal banking regulators are the Board of Governors of the Federal Reserve System, FDIC,\nOffice of the Comptroller of the Currency, and the Office of Thrift Supervision.\n\n\n                                                          3\n\x0cunauthorized disclosure of customer financial information and to deter and detect\xe2\x80\x9d the\nunauthorized disclosure of customer financial information by false pretenses. Pretext calling is\none common method used to fraudulently obtain a customer\xe2\x80\x99s financial information from a\nfinancial institution. Pretext calling can lead to \xe2\x80\x9cidentity theft\xe2\x80\x9d -- the fraudulent use of an\nindividual\xe2\x80\x99s personal identifying information to commit a financial crime.\n\nOther Sections of GLBA Title V\n\nGLBA Title V, Section 506, Protection of Fair Credit Reporting Act (FCRA), requires the\nfederal banking regulators to jointly prescribe FCRA regulations related to affiliate information-\nsharing provisions, as necessary, with respect to financial institutions. The affiliate information-\nsharing provisions have not yet been fully implemented, but are being addressed through\ninteragency proposed regulations still in process.\n\nGLBA Title V requires that (1) the Secretary of the Treasury, in conjunction with federal\nbanking regulators and the FTC, prepare a report12 to the Congress by January 1, 2002, regarding\ninformation-sharing practices among financial institutions and their affiliates; and (2) the\nGeneral Accounting Office (GAO) consult with the federal banking regulators in preparing a\nreport 13 on the efficacy of GLBA\xe2\x80\x99s remedies for pretext calling.\n\nFDIC Rules and Regulations\n\nFDIC Rules and Regulations, Parts 364, 332, and 308, 14 implement the requirements of the\napplicable sections of GLBA Title V, as follows:\n\n        Part 364 \xe2\x80\x93 Standards for Safety and Soundness: Appendix B to Part 364, Interagency\n        Guidelines Establishing Standards for Safeguarding Customer Information, sets forth\n        standards pursuant to Section 39 of the FDI Act and GLBA Subtitle A\xe2\x80\x99s customer\n        information safeguarding and enforcement provisions. These guidelines address\n        standards for developing and implementing administrative, technical, and physical\n        safeguards to protect the security, confidentiality, and integrity of customer information.\n\n        Part 332 \xe2\x80\x93 Privacy of Consumer Financial Information: Part 332 governs financial\n        institutions\xe2\x80\x99 15 treatment of nonpublic personal information about consumers and\n        (1) requires a financial institution to provide notice to customers about its privacy\n        policies and practices; (2) describes the conditions under which a financial institution\n        may disclose nonpublic personal information about consumers to nonaffiliated third\n        parties; and (3) provides a method for consumers to prevent a financial institution from\n\n\n\n12\n   As of August 29, 2003, this report had not been finalized.\n13\n   GAO report on Financial Privacy entitled, Too Soon to Assess the Privacy Provisions in the Gramm-Leach-Bliley\nAct of 1999, dated May 2001 (GAO-01-617).\n14\n   Codified to title 12 of the Code of Federal Regulations.\n15\n   Part 332 applies to financial institutions insured by the FDIC (other than members of the Federal Reserve System)\nfor which the FDIC has primary supervisory authority, insured state branches of foreign banks, and certain\nsubsidiaries of such entities.\n\n\n                                                         4\n\x0c       disclosing that information to most nonaffiliated third parties by \xe2\x80\x9copting out\xe2\x80\x9d of that\n       disclosure, subject to exceptions.\n\n       Part 308, Subpart R \xe2\x80\x93 Submission and Review of Safety and Soundness Compliance\n       Plans and Issuance of Orders to Correct Safety and Soundness Deficiencies: The\n       FDIC may, based upon an examination, inspection, or any other information that\n       becomes available to the FDIC, determine that a financial institution has failed to satisfy\n       the safety and soundness standards set out in Part 364 and in Appendix B to Part 364. If\n       the FDIC determines that a financial institution has failed to satisfy any such standard,\n       the FDIC may request the submission of a compliance plan and may take appropriate\n       enforcement actions if the financial institution fails to submit an acceptable plan or fails,\n       in any material respect, to implement a plan accepted by the FDIC.\n\nDSC\xe2\x80\x99s Approach for Examining Standards for Safeguarding Customer Information\n\nThe DSC includes the standards for safeguarding customer information in its examination\nprocedures. Since 2001, the DSC has applied the following procedures:\n\n\xe2\x80\xa2   The federal banking regulators developed examination procedures in 2001 to assist\n    examiners in evaluating a financial institution\xe2\x80\x99s compliance with customer information\n    safeguards established by the federal banking regulators and to ensure that the established\n    standards are applied consistently. The FDIC advised its financial institutions of these\n    procedures through Financial Institution Letter FIL-68-2001, Examination Procedures to\n    Evaluate Customer Information Safeguards, dated August 24, 2001. The DSC distributed\n    the examination procedures to its examiners through a Regional Directors Memorandum\n    (RDM) entitled, Examination Procedures to Evaluate Customer Information Safeguards,\n    dated August 28, 2001, Transmittal Number 2001-032 (RDM 2001-032). The DSC\n    instructed examiners to assess compliance with customer information safeguards during\n    examinations started after July 1, 2001.\n\n\xe2\x80\xa2   Examiners could also use the procedures contained in an Examination Documentation (ED)\n    Module, \xe2\x80\x9cGLBA 501(b) \xe2\x80\x93 Safeguarding Customer Information.\xe2\x80\x9d The most recent version of\n    this ED Module is dated April 2002. The FDIC and the Federal Reserve Board developed\n    the ED Module to provide examiners with a tool to focus on risk management and to\n    establish an appropriate examination scope. RDM 2001-039, entitled, Guidelines for\n    Examination Workpapers and Discretionary Use of Examination Documentation Modules\n    and dated September 25, 2001, provided for discretionary use of the ED Module.\n\n\xe2\x80\xa2   On October 9, 2002, the FDIC issued FIL-118-2002, New Examination Procedures for\n    Assessing Information Technology Risk, to advise financial institutions of DSC\xe2\x80\x99s new\n    program for IT risk at FDIC-supervised financial institutions. The FDIC\xe2\x80\x99s program\n    incorporated a new philosophy for categorizing financial institutions\xe2\x80\x99 use of technology and\n    consequential exposure to technology risk, along with updated and more risk- focused IT\n    examination procedures. In FIL-118-2002, the FDIC identified and included two new work\n    programs, IT-MERIT (Maximum Efficiency, Risk-Focused, Institution-Targeted) Procedures\n    and an IT General Work Program, and provided the following descriptions.\n\n\n                                                 5\n\x0c       -   IT-MERIT examination procedures will be used by examiners conducting technology\n           risk reviews at FDIC-supervised financial institutions with the least technology risk.\n           These simplified procedures will greatly streamline the review process for financial\n           institutions in this group.\n\n       -   The IT General Work Program was developed to improve efficiencies by\n           consolidating several existing technology-related work programs into a single work\n           program and eliminating redundant review areas. This work program will be used by\n           examiners conducting IT risk reviews at FDIC-supervised financial institutions with\n           low to moderate technology risk. The work program replaces several previously\n           issued work programs, such as the Electronic Banking Work program, Examination\n           Procedures to Evaluate Customer Information Safeguards, the Community Bank\n           Work Program, and others.\n\nThe DSC issued RDM 2002-043, entitled, Information Technology Maximum Efficiency, Risk-\nFocused, Institution Targeted (IT-MERIT); and IT General Work Program Guidelines, dated\nSeptember 30, 2002, to implement the new examination guidelines and procedures.\nRDM 2002-043 states that to address the different levels of risk posed by financial institutions\nthrough their use of IT, four new categories were developed to describe an institution\xe2\x80\x99s\ntechnology risk profile: Type I, Type II, Type III, and Type IV financial institutions. Table 1\nshows the examination procedures to be used for each type.\n\n\n\n\n                                                6\n\x0cTable 1: Technology Types and IT Examination Procedures\n                                                                                              IT Examination\nCategory                               Description                                            Procedures\nType I   Limited networking and E-Banking activities; No in-house                             IT-MERIT\n         programming or core processing; Minimal external threats; Primary                    Procedures\n         risks are centered on the core banking system or vendor management;\n         and No history of less than satisfactory examination ratings.\nType II  Limited networking and E-Banking activities; Usually do not conduct                  IT General Work\n         in-house programming or servicing of other financial institutions;                   Program\n         Minimal external threats; Primary risks are centered on the core\n         banking system or vendor management; and a History of less than\n         satisfactory examination ratings.\nType III Fully integrated networking within operations; Increased external                    IT General Work\n         threats from E-Banking activities and Internet connections; and                      Program,\n         Increased operational from limited programming activities or servicing               supplemented with\n         responsibilities.                                                                    Federal Financial\n                                                                                              Institutions\n                                                                                              Examination\n                                                                                              Council* (FFIEC)\n                                                                                              Work Programs as\n                                                                                              needed.\nType IV        Relies upon networks and other communication systems as a critical             FFIEC Work\n               element of operations; Networking among business client and partners           Programs\n               is common; Internet connectivity may be relied upon as a critical\n               communications medium; Risk of compromise or access to critical\n               systems from external sources is present; and Complexity of\n               technology increases system administration and security risks.\n  Source: RDM 2002-043 dated September 30, 2002.\n* The FFIEC, established in March 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest\nRate Control Act of 1978 (FIRICA \xe2\x80\x93 Pub. L. No. 95-630, codified to title 12. U.S.C. 3301 et seq.), is a formal\ninteragency body empowered to prescribe uniform principles, standards, and report forms for the federal\nexamination of financial institutions by the Board of Governors of the Federal Reserve System, the FDIC, the\nNational Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift\nSupervision and to make recommendations to promote uniformity in the supervision of financial institutions.\n\nDSC\xe2\x80\x99s Approach for Examining Privacy Notice Requirements\n\nThe FDIC and other federal banking regulators developed and approved examination procedures\nto review supervised financial institutions for compliance with the joint regulation on Privacy of\nConsumer Financial Information. On May 17, 2001, the FDIC issued to financial institutions\nFIL-46-2001, FFIEC Compliance Examination Procedures for Part 332 \xe2\x80\x93 \xe2\x80\x9cPrivacy of\nConsumer Financial Information,\xe2\x80\x9d which provided the examination procedures to be used after\nJuly 1, 2001. FDIC\xe2\x80\x99s Division of Compliance and Consumer Affairs (DCA) 16 distributed the\ninteragency examination procedures to all DCA staff through a memorandum entitled,\nInteragency Examination Procedures for Reviewing Compliance with Part 332 \xe2\x80\x93 Privacy of\nConsumer Financial Information (Transmittal No. DCA 01-002), dated May 18, 2001.\n\n\n\n16\n     The FDIC merged the Division of Supervision and DCA into DSC effective July 1, 2002.\n\n\n                                                         7\n\x0cIn June 2003, the DSC advised financial institutions of its revised compliance examination\nprocess through FIL-52-2003, Compliance Examination Procedures. Under the new approach,\nFDIC compliance examinations combine the risk-based examination process with an in-depth\nevaluation of a financial institution\xe2\x80\x99s compliance management system.\n\n\nRESULTS OF EVALUATION\n\nOverall, the FDIC has made reasonable progress in implementing GLBA Title V provisions\nrelated to safeguarding customer information and privacy notice requirements and modest\nprogress in implementing provisions related to fraudulent access to financial information. Our\nassessment of FDIC\xe2\x80\x99s progress is based on an analysis of the Corporation\xe2\x80\x99s and DSC\xe2\x80\x99s efforts to\nestablish regulations, issue implementing guidelines to financial institutions, and develop and\nimplement procedures to examine financial institutions\xe2\x80\x99 compliance with GLBA Title V\nprovisions.\n\nSpecifically, the FDIC established rules and regulations that appropriately address the applicable\nprovisions related to safeguarding customer information and privacy notice requirements and\nestablished adequate guidance and examination procedures to help ensure that financial\ninstitutions under its jurisdiction meet the safeguarding and privacy notice requirements. The\nDSC assesses a financial institution\xe2\x80\x99s compliance (1) with standards for safeguarding customer\ninformation through IT examinations and (2) with privacy notice requirements through\ncompliance examinations. The GLBA Title V provisions related to FCRA-affiliate information\nsharing have not yet been fully implemented, but are being addressed through proposed\ninteragency regulations still in process.\n\nRegarding GLBA Title V provisions related to fraudulent access to financial information, the\nFDIC issued guidance on identity theft and pretext calling to financial institutions, but DSC has\nnot established specific examination procedures to determine financial institutions\xe2\x80\x99 compliance\nwith the guidance. (See Finding A: FDIC\xe2\x80\x99s Progress in Implementing GLBA Title V --\nPrivacy Provisions .)\n\nThe FDIC has taken actions to implement the GLBA Title V provisions related to safeguarding\ncustomer information and privacy notice requirements. However, we noted that several\nmanagement actions are needed related to DSC\xe2\x80\x99s IT examination process.\n\n   \xe2\x80\xa2   Establish examination procedures for ensuring that financial institutions have controls in\n       place to prevent unauthorized disclosure of customer financial information (Subtitle B).\n       Although the FDIC has issued guidance on identity theft and pretext calling to inform\n       financial institutions about developments in these two areas of consumer bank fraud,\n       DSC\xe2\x80\x99s IT examination procedures do not include steps to specifically assess how banks\n       protect customer information from unauthorized disclosure.\n\n   \xe2\x80\xa2   Ensure consistency in assessing and reporting a financial institution\xe2\x80\x99s level of compliance\n       with standards for safeguarding customer information (Subtitle A). DSC\xe2\x80\x99s IT General\n       Work Program does not always specifically identify those procedures that are appropriate\n\n\n                                                8\n\x0cand necessary for assessing a financial institution\xe2\x80\x99s compliance with these standards. If\nexamination procedures do not specifically reference the safeguarding standards under\nreview, the FDIC is at risk that key requirements may not be considered in assessing a\nfinancial institution\xe2\x80\x99s compliance with the standards.\n\nFurther, DSC has multiple guidelines at the headquarters and regional level that provide\ndiffering instructions to examiners for reporting a financial institution\xe2\x80\x99s compliance with\nstandards for safeguarding customer information. These guidelines vary from an\nexaminer\xe2\x80\x99s use of exception reporting to combined reporting of noncompliance or level\nof compliance. National DSC guidance on reporting compliance with the standards is\nneeded to promote consistency among DSC\xe2\x80\x99s regional offices. (See Finding B: DSC\xe2\x80\x99s\nExamination Procedures for GLBA Title V -- Privacy.)\n\n\n\n\n                                         9\n\x0cFINDINGS AND RECOMMENDATIONS\n\nFINDING A: FDIC\xe2\x80\x99S PROGRESS IN IMPLEMENTING GLBA TITLE V -- PRIVACY\nPROVISIONS\n\nThe FDIC made reasonable progress in implementing GLBA Title V Subtitle A\xe2\x80\x99s provisions, as\ndemonstrated in the regulations, FILs, and other guidance the Corporation has issued to financial\ninstitutions it supervises. In addition, the FDIC participated in interagency efforts and jointly\nissued standards for safeguarding customer information, examination procedures to assess\ncompliance with those standards, and examination procedures to review compliance with privacy\nnotice requirements. However, the FDIC\xe2\x80\x99s progress in implementing Subtitle B\xe2\x80\x99s provisions is\nmodest. The Corporation issued guidance to its supervised financial institutions on identity theft\nand pretext calling which referenced published guidelines on the safeguards financial institutions\ncan put into place to help prevent problems caused by pretext calling. However, as discussed in\nFinding B, DSC has not established specific examination procedures to review a financial\ninstitution\xe2\x80\x99s compliance with the guidelines on pretext calling.\n\nFDIC Rules and Regulations and FDIC Procedures that Address GLBA Title V Provisions\n\nThe FDIC has issued rules and regulations, guidance, and procedures that address most of the\nGLBA Title V provisions. Table 2 illustrates FDIC\xe2\x80\x99s activities for major GLBA Title V\nprovisions and shows that, as discussed in Finding B, DSC has not specifically identified\nexamination procedures related to Subtitle B. Appendix III lists all GLBA Title V privacy\nprovisions.\n\n\n\n\n                                               10\n\x0cTable 2: FDIC Rules, Guidance, and Implementing Procedures for Major GLBA Title V Privacy\nProvisions\n                                                   FDIC Rules and               Financial         DSC Examination\n       Title V              Federal Register\n                                                     Regulations           Institution Letters      Procedures\nSubtitle A. \xe2\x80\x93 Disclosure of Nonpublic Personal Information\n\n\xc2\xa7501(b). Financial       Vol. 66, 8616 - 8641        Part 364, Standards   a) FIL-22-2001,       a) Examination\nInstitutions             (February 1, 2001)          for Safety and        March 14, 2001.       Procedures to\nSafeguards and           Final Rule \xe2\x80\x93 Interagency    Soundness,            b) FIL-68-2001,       Evaluate Compliance\n\xc2\xa7505(b).                 Guidelines Establishing     Appendix B.           August 24, 2001.      with the Guidelines\nEnforcement of           Standards for               Part 308,             c) FIL-118-2002,      to Safeguard\nSection 501 \xe2\x80\x93            Safeguarding Customer       Subpart R,            October 9, 2002.      Customer\nRequires each            Information and             Submission and        d) FIL-11-2003,       Information.\n\xe2\x80\x9cagency\xe2\x80\x9d to establish    Rescission of Year 2000     Review of Safety      February 12, 2003.    b) IT Examination\nand implement            Standards for Safety and    and Soundness                               Procedures:\nstandards relating to    Soundness.                  Compliance Plans                            \xe2\x80\xa2 IT Merit.\nadministrative,                                      and Issuance of                             \xe2\x80\xa2 General Work\ntechnical, and                                       Orders to Correct                                Program.\nphysical safeguards                                  Safety and                                  \xe2\x80\xa2 FFIEC.\nto protect nonpublic                                 Soundness\npersonal information.                                Deficiencies.\n\xc2\xa7502 \xe2\x80\x93 504. The          Vol. 65, 35162 - 35236      Part 332, Privacy     a) FIL-34-2000,       Interagency\n\xe2\x80\x9cagencies\xe2\x80\x9d shall         (June 1, 2000) Final Rule   of Consumer           July 5, 2000.         Examination\nconsult and              - Privacy of Consumer       Financial             b) FIL-3-2001,        Procedures for\ncoordinate in            Financial Information.      Information.          January 22, 2001.     Reviewing\ndeveloping                                                                 c) FIL-46-2001,       Compliance with\nregulations necessary                                                      May 17, 2001.         Part 332.\nto carry out purpose                                                       d) FIL-73-2001,\nof Subtitle A.                                                             August 29, 2001.\n                                                                           e) FIL-106-2001,\n                                                                           December 20,\n                                                                           2001.\n\xc2\xa7506(a). Amendment       Vol. 65, 63120 - 63141      Part 334 \xe2\x80\x93 Fair       a) FIL-71-2000,       DCA Memorandum\n\xe2\x80\x93 Section 621 of the     (October 20, 2000)          Credit Reporting.a    October 26, 2000.     Transmittal Number\nFair Credit Reporting    Proposed Rule, Fair                               b) FIL-26-2001,        DCA-00-009,\nAct is amended.          Credit Reporting                                  March 27, 2001.       Revised Interagency\n                         Regulations.                                                            Examination\n                                                                                                 Procedures for the\n                                                                                                 Fair Credit\n                                                                                                 Reporting Act, directs\n                                                                                                 the resumption of\n                                                                                                 routine examinations\n                                                                                                 for compliance with\n                                                                                                 the FCRA.\nSubtitle B \xe2\x80\x93 Fraudulent Access to Financial Information\n\n\xc2\xa7525. Agencies to            Not Applicable b          Not Applicable      FIL-39-2001,          Discussed in\nissue guidelines to                                                        May 9, 2001.          Finding B.\nensure consistency\nwith Subtitle B.\nSource: OIG Analysis .\na\n  The federal banking regulators anticipate issuing a new proposed rulemaking for public comments in response to\ncomments received on the October 20, 2000 proposal.\nb\n  This section of GLBA Title V did not require the creation of an FDIC rule and regulation or standard.\n\n\n\n\n                                                        11\n\x0cTo verify DSC\xe2\x80\x99s implementation, we selected and reviewed examination workpapers for a\njudgmental sample of 11 IT examinations. In all cases, we confirmed that the examination team\nused the appropriate examination procedures -- IT MERIT, IT General Work Program, or\nalternative procedures 17 -- based on the complexity and risk of the financial institution\xe2\x80\x99s\ntechnology functions.\n\nInternal Quality Assurance Review of the Privacy Examination Process\n\nDSC\xe2\x80\x99s Internal Control Review Section (ICRS ) issued a Report on the Quality Assurance Review\nof the Privacy Examination Process, dated December 2002, which addressed compliance\nexaminations of privacy notice requirements conducted at FDIC-supervised financial institutions\nduring the first 3 months of 2002. The report identified the following findings: (1) workpaper\ndocumentation did not consistently demonstrate that a thorough privacy examination was\ncompleted; (2) examination procedures were not consistently employed to conduct privacy\nexaminations ; and (3) time associated with conducting the privacy exa mination was not\nconsistently reported in the Scheduling Hours and Reporting Package, a DSC system used to\nmonitor examination resources.\n\nDSC developed an Action Plan to address the report findings and sent the Action Plan to\nRegional Directors and Deputy Regional Directors (Compliance) on May 16, 2003. The Action\nPlan conveyed clarifying information regarding GLBA Title V and identified responsibilities and\nactions to be taken by management and examination staff to ensure improvements to the privacy\nexamination process. Table 3 presents a summary of the actions planned by DSC to address the\nICRS\xe2\x80\x99s findings.\n\nTable 3: DSC Action Plan Items\n Action Planned\n 1. Using approved interagency procedures to conduct privacy examinations.\n 2. Interviewing institution management to determine whether written policies and procedures reflect\n     actual practices.\n 3. Requesting and reviewing joint marketing agreements between the bank and third parties.\n 4. Preparing a scope memorandum for the entire compliance examination.\n 5. Preparing and filing examiner summaries with the workpapers.\n 6. Establishing a baseline measurement that documents the degree to which each region has complied\n     with actions 1-5 mentioned above.\n 7. Ensuring that privacy issues are discussed in routine regional meetings and conference calls, as\n     applicable.\n 8. Identifying a privacy subject matter expert in each region and privacy points-of-contact in each of the\n     field offices.\n 9. Emphasizing privacy during Commissioned Compliance Examiner Workshops.\n 10. Preparing a \xe2\x80\x9cJob Aid\xe2\x80\x9d to be used by examiners for interviewing bank staff.\n 11. Conduct a follow-up review of the privacy examination process in October 2003.\n  Source: DSC\xe2\x80\x99s May 16, 2003 Memorandum to Regional Directors and Deputy Regional Directors (Compliance)\n  from Deputy Director for Compliance and Consumer Protection.\n\n\n17\n  Of the 11 IT examinations we reviewed, 6 were Type I, Type II, or Type III financial institutions, and examiners\nused the appropriate MERIT or IT General Work Program procedures; 2 were Type IV financial institutions, and\nexaminers used the FFIEC Work Programs, as supplemented by other procedures; 2 were data processing servicers;\nand 1 was a vis itation.\n\n\n                                                        12\n\x0cFor this evaluation, we did not review examination workpapers for privacy notice requirements\nexaminations because DSC was in the process of developing its Action Plan when we started our\nreview.\n\nDSC Views on Financial Institutions \xe2\x80\x99 Compliance with GLBA\n\nDSC officials responsible for IT examinations in FDIC\xe2\x80\x99s San Francisco Regional Office and\nChicago Regional Office told us that the majority of FDIC-supervised financial institutions have\nadopted some type of information security program as required under GLBA and the\nimplementing regulations. The examiners in the San Francisco Regional Office have\nencountered a few isolated instances where financial institutions were in substantial\nnoncompliance with the standards for safeguarding customer information. For example, the\nexaminers found either an inadequate assessment or no comprehensive risk assessment, lack of\ntesting and monitoring of key controls, weak vendor/service provider oversight programs, and\nfailure to provide for adequate reporting to the Board of Directors. Chicago Regional Office\nofficials said that financial institutions\xe2\x80\x99 information security programs usually fall short of fully\ncomplying with the GLBA requirements. The Chicago Regional Office\xe2\x80\x99s exa mination findings\noften indicate that the information security program does not include all necessary elements; risk\nassessments are incomplete and/or informal; audits do not fully test key controls, systems, and\nprocedures; and employee training and awareness initiatives are limited and infrequent.\n\nCurrently, DSC does not maintain formal statistics on instances of apparent noncompliance with\nstandards for safeguarding customer information identified during IT examinations. Although\nwe are not making formal recommendations in this regard, such statistics could be helpful in\nidentifying emerging issues and trends and in assessing whether the IT examination program is\nachieving its desired outcomes. We encourage DSC to begin maintaining basic statistics.\n\nThe DSC does generate and maintain statistical information on noncompliance with privacy\nnotice requirements identified during compliance examinations. We obtained summary\ninformation on the number and description of privacy notice deficiencies identified during\ncompliance examinations conducted within the first year of the GLBA Title V enactment.\nApproximately 5 percent of the institutions that underwent a compliance examination were cited\nfor a violation of FDIC Rules and Regulations, Part 332. Generally, the smaller the institution,\nthe more often examiners found violations of Part 332. Some of the violations identified were\nrelated to the following sections of Part 332:\n\n   \xe2\x80\xa2   Section 332.6 \xe2\x80\x93 Information to be Included in Privacy Notices.\n   \xe2\x80\xa2   Section 332.4 \xe2\x80\x93 Initial Privacy Notice to Consumers.\n   \xe2\x80\xa2   Section 332.7 \xe2\x80\x93 Form of Opt Out Notice to Consumers and Opt Out Methods.\n   \xe2\x80\xa2   Section 332.12 \xe2\x80\x93 Limits on Sharing Account Number Information for Marketing\n       Purposes.\n\n\n\n\n                                                 13\n\x0cThe DSC\xe2\x80\x99s statistics for compliance examinations conducted in 2002 and early 2003 show the\nmost common deficiencies tend to deal with the omission of information from banks\xe2\x80\x99 privacy\nnotices and incorrect disclosures of information wherein information in a privacy notice does not\nalways accurately reflect a financial institution\xe2\x80\x99s information-sharing practices.\n\n\n\n\n                                               14\n\x0cFINDING B: DSC\xe2\x80\x99S EXAMINATION PROCEDURES FOR GLBA TITLE V --\nPRIVACY\n\nThe FDIC has made progress in implementing the GLBA\xe2\x80\x99s Title V provisions related to\nsafeguarding customer information and privacy notice requirements, yet enhancements are\nneeded in the examination process to ensure financial institutions have controls in place to\nprevent unauthorized disclosure of customer financial information and to provide consistency in\nassessing and reporting a financial institution\xe2\x80\x99s compliance with standards for safeguarding\ncustomer information. DSC\xe2\x80\x99s IT examination procedures do not include steps designed to\nexplicitly assess financial institutions\xe2\x80\x99 compliance with the guidance issued for Subtitle B.\nWithout specific procedures, examinations may not be adequately assessing financial\ninstitutions\xe2\x80\x99 compliance with GLBA privacy provisions to prevent and detect fraudulent access\nto financial information. Moreover, DSC\xe2\x80\x99s IT General Work Program does not always\nspecifically designate those procedures relevant to determining a financial institution\xe2\x80\x99s\ncompliance with safeguarding standards (Subtitle A). Without specific procedures designated as\naddressing GLBA, the DSC cannot be assur ed that examiners will consider all relevant\nexamination procedures in assessing a financial institution\xe2\x80\x99s compliance with the standards.\nFinally, to promote consistency in reporting financial institutions\xe2\x80\x99 compliance with these\nstandards, DSC national guidance is needed to standardize differing instructions provided to\nexaminers by regional and headquarters officials.\n\nSubtitle B \xe2\x80\x93 Fraudulent Access to Financial Information\n\nAccording to Section 525 in Subtitle B, the FDIC and other federal banking regulators are to\nreview their regulations and guidelines to ensure that financial institutions have policies,\nprocedures, and controls in place to prevent the unauthorized disclosure of customer financial\ninformation and to deter and detect fraudulent access to such information. In response to these\nrequirements, the FDIC and the other federal banking regulators issued guidance on how banking\norganizations should protect customer information against identity theft and pretext calling. The\nFDIC advised the financial institutions of Guidance on Identity Theft and Pretext Calling\nthrough FIL-39-2001 on May 9, 2001, and identified the guidance as a supplement to FDIC\nguidelines on customer information security, issued February 1, 2001, pursuant to Section 501(b)\nof the GLBA.\n\nThe Guidance on Identity Theft and Pretext Calling provides steps that financial institutions\nshould take to safeguard customer information and reduce the risk of loss from identity theft and\npretext calling, including the following:\n\n   \xe2\x80\xa2   Establishing procedures to verify the identity of individuals applying for financial\n       products.\n   \xe2\x80\xa2   Establishing procedures to prevent fraudulent activities rela ted to customer information.\n   \xe2\x80\xa2   Maintaining a customer information security program.\n   \xe2\x80\xa2   Reporting suspected identity theft and pretext calling through Suspicious Activity\n       Reports (SAR).\n   \xe2\x80\xa2   Making available to customers information about how to prevent identity theft.\n\n\n\n                                               15\n\x0cHowever, DSC\xe2\x80\x99s examination procedures do not identify steps specifically designed to review a\nfinancial institution\xe2\x80\x99s compliance with the guidance on pretext calling. For example, the work\nprogram could include procedures to review:\n\n     \xe2\x80\xa2   the measures taken by the financial institution to reduce the incidence of pretext calling,\n         including limiting the circumstances under which customer information may be\n         disclosed by telephone;\n     \xe2\x80\xa2   the financial institution\xe2\x80\x99s training activities to determine whether employees are made\n         aware of ways to recognize and report possible indicators of attempted pretext calling; or\n     \xe2\x80\xa2   a financial institution\xe2\x80\x99s level of activity in identifying and tracking known or suspected\n         criminal violations related to pretext calling and reporting such violations in a SAR.\n\nUntil the DSC establishes specific procedures for protecting customer financial information from\nunauthorized disclosure, examinations may not adequately assess financial institutions\xe2\x80\x99\ncompliance with guidance to prevent and detect fraudulent access to financial information.\nThe statutory requirements of Subtitle B do not explicitly require agencies to examine financial\ninstitutions\xe2\x80\x99 compliance with guidance on identity theft and pretext calling. However, the\nlegislative history of the GLBA Title V indicates a congressional expectation that federal\nbanking regulators should examine financial institutions\xe2\x80\x99 compliance with regulators\xe2\x80\x99 guidance\nand the adequacy of those financial institutions\xe2\x80\x99 controls relative to preventing and detecting\npretext calling. According to the House Commerce Committee Report (H.R. Report No. 106-74,\npt. 3, (1999)), Subtitle B provides additional protections against pretext calling by increasing the\nthen-existing penalties for fraudulent information gathering and gives the FTC specific directions\nto prosecute violations. 18 The report states that, \xe2\x80\x9cSubtitle B recognizes the importance of\nfinancial institutions implementing strong internal controls to prevent unauthorized disclosure of\ntheir customers\xe2\x80\x99 private financial information.\xe2\x80\x9d Regarding Section 525 of Subtitle B, the\ncongressional report indicates:\n\n         This section requires each Federal banking agency and the SEC [Securities and Exchange\n         Commission] or self-regulatory organizations to review its regulations and guidelines\n         governing the protection of confidential consumer financial information and to revise\n         such provisions as necessary to ensure appropriate confidentiality safeguards. Those\n         safeguards will include those policies, procedures, and controls as would reasonably be\n         expected to prevent and detect activities proscribed by the legislation. The Committee\n         expects the appropriate examining authorities to include compliance with such guidelines\n         and the adequacy of such internal controls in their examinations of these institutions\n         [emphasis added].\n\nDSC officials told us that Bank Secrecy Act (BSA) examination procedures include steps for\nverification of controls and issuance of SARs; these areas relate to protecting customer\ninformation. Further, DSC\xe2\x80\x99s IT examination work programs include procedures related to\nreviewing a financial institution\xe2\x80\x99s information security program -- one of the safeguards\n\n\n18\n  The enacted version of Subtitle B includes the National Credit Union Administration in Section 525 and provides\nthe federal banking regulators with administrative enforcement powers with respect to financial institutions under\ntheir respective jurisdictions.\n\n\n                                                       16\n\x0cidentified in the guidance on pretext calling. However, DSC\xe2\x80\x99s IT examination work programs do\nnot specifically or clearly identify the information security program steps or other procedures\nthat would assist examiners in determining compliance with the guidance on identity theft and\npretext calling.\n\nDSC officials acknowledge that IT examination work programs do not specifically include\nprocedures for determining a financial institution\xe2\x80\x99s compliance with guidance on pretext calling.\nHowever, DSC officials were not certain which examination (i.e., IT examination, safety and\nsoundness, or compliance) should include these procedures. Accordingly, our recommendation\nto include steps for assessing financial institutions\xe2\x80\x99 compliance with the guidance on pretext\ncalling references DSC\xe2\x80\x99s examination procedures in general rather than a specific type of\nexamination.\n\nProcedures for Examining Standards for Safeguarding Customer Information\n\nThe FDIC initially advised financial institutions of its examination procedures to evaluate\ncompliance with the standards for safeguarding customer information through FIL-68-2001,\ndated August 24, 2001. These examination procedures were developed on an interagency basis\nto promote consistency among the federal banking regulators. The DSC distributed the\ninteragency procedures to its examiners through RDM 2001-032 on August 28, 2001.\n\nThe interagency procedures included the following examination objective: \xe2\x80\x9cDetermine whether\nthe financial institution has established an adequate written Information Security Program and\nwhether the program complies with the Guidelines Establishing Standards for Safeguarding\nCustomer Information mandated by section 501(b) of the Gramm- Leach-Bliley Act of 1999.\xe2\x80\x9d\nThe interagency procedures contained key questions and considerations that examiners should\ntake into account when assessing the adequacy of a financial institution\xe2\x80\x99s information security\nprogram and grouped the work steps into five categories addressing the major provisions of the\nstandards for safeguarding customer information. Table 4 shows the five categories and\nexamples of a key question for each category.\n\n\n\n\n                                               17\n\x0cTable 4: Interagency Procedures \xe2\x80\x93 Categories and Key Questions\n                    Category                                       Key Question\n Determine the involvement of the Board of       Has the Board or its designated committee\n Directors in the Information Security           approved a written Corporate Information\n Program.                                        Security Program that meets the requirements\n                                                 of the Information Security Guidelines?\n Evaluate the risk assessment process.           How does the institution assess risk to its\n                                                 customer information systems and nonpublic\n                                                 customer information?\n Evaluate the adequacy of the program to         Review internal controls and policies. Are the\n manage and control risk.                        controls adequate to support risk mitigation\n                                                 judgments?\n Assess the measures taken to oversee service    Do contracts require service providers to\n providers.                                      implement appropriate measures to meet the\n                                                 objectives of the standards for safeguarding\n                                                 customer information?\n Determine whether an effective process exists   Does the institution have an effective process\n to adjust the information security program.     to adjust the information security program as\n                                                 needed? Is the appropriate person assigned\n                                                 responsibility for adjusting the program?\nSource: RDM 2001-032.\n\nThe interagency procedures clearly indicated that the work steps were intended to be in support\nof assessing the financial institutions\xe2\x80\x99 compliance with the standards for safeguarding customer\ninformation. The interagency procedures also included steps to summarize the procedures\nperformed and to communicate findings related to assessing compliance with the standards for\nsafeguarding customer information.\n\nIn September 2002, the DSC issued new examination guidelines and related streamlined\nprocedures for IT examinations, including two new work programs, IT-MERIT and IT General\nWork Program. The IT General Work Program replaced various work programs, including the\ninteragency procedures for evaluating the standards for safeguarding customer information. The\nIT General Work Program consists of work program questions (procedures) that are linked to a\n\xe2\x80\x9cHelp\xe2\x80\x9d section for examiners to use, when needed. The \xe2\x80\x9cHelp\xe2\x80\x9d section provides a description of\nthe purpose of each work step question and the risk to the financial institution if the question is\nnot addressed or implemented in an acceptable manner.\n\nUnlike the interagency procedures, DSC\xe2\x80\x99s IT General Work Program is not structured to include\nkey questions or considerations that an examiner would take into account in assessing the\nfinancial institution\xe2\x80\x99s compliance with the standards for safeguarding customer information.\nFurther, DSC\xe2\x80\x99s new IT examination procedures do not include steps or references to specific\nprocedures in the work program to assess compliance with the standards for safeguarding\ncustomer information. In addition, DSC\xe2\x80\x99s examination procedures do not include steps to\nsummarize and communicate the results of the examiner\xe2\x80\x99s work related to evaluating compliance\nwith the standards for safeguarding customer information.\n\nWe determined that 42 of the 67 procedures in the IT General Work Program relate to the\nstandards for safeguarding customer information, but we identified only 1 procedure that\n\n\n                                                  18\n\x0cexplicitly references GLBA and 1 procedure that cites a GLBA requirement, namely\n\xe2\x80\x9cInformation Security Guidelines.\xe2\x80\x9d As shown in Table 5, we identified six references to the\ntopic of safeguarding customer information in the \xe2\x80\x9cHelp\xe2\x80\x9d section of the IT General Work\nProgram.\n\nTable 5: References to the Standards for Safeguarding Customer Information in the IT\nGeneral Work Program \xe2\x80\x9cHelp\xe2\x80\x9d Section\n       IT General Work Program                      \xe2\x80\x9cHelp\xe2\x80\x9d Section References to GLBA\n        Examination Procedure                       Customer Information Safeguarding\n Audit                                      Help Section Q1d \xe2\x80\x93 Does the internal and/or external\n 1d. Does the internal and/or external      auditor or designated officer review the\n auditor or designated officer or           following...\xe2\x80\x9dCompliance with Section 501(b) of the\n employee review the following\xe2\x80\xa6             Gramm-Leach-Bliley Act?\xe2\x80\x9d\n \xe2\x80\x9cCompliance with Section 501(b) of the\n Gramm-Leach-Bliley Act?\xe2\x80\x9d\n IT Policies                                Help Section Q2.1a \xe2\x80\x93\n 2.1a. Has the board or its designated      \xc3\x98 Section 501(b) of the Gramm-Leach-Bliley Act\n committee approved a written Corporate         (GLBA) of 1999 requires each institution to\n Information Security Program that              implement a comprehensive written information\n meets the requirements of the                  security program.\n Information Security Guidelines?           \xc3\x98 For additional information see: FDIC Rules and\n                                                Regulations \xe2\x80\x93 Part 364, Appendix B.\n IT Policies                                Help Section Q2.1c (paraphrased) \xe2\x80\x93\n 2.1c. Consider the following when          \xc3\x98 Accordingly, the GLBA guidelines indicate that\n evaluating the Risk Assessment                 institutions should consider the sensitivity of\n process\xe2\x80\xa6                                       customer information.\n                                            \xc3\x98 Under the GLBA guidelines, a financial institution\n                                                should identify the threats that could result in\n                                                alteration of customer information systems.\n IT Policies                                Help Section Q2.1e \xe2\x80\x93 Staff should be trained on\n 2.1e. Is staff adequately trained to       information security and privacy guidelines\n implement the security program?            promulgated by GLBA.\n IT Policies                                Help Section Q2.1h \xe2\x80\x93 Each bank should report to its\n 2.1h. Determine the usefulness of risk     Board on the status of its information security program\n assessment reports from management to      and the bank\xe2\x80\x99s compliance with the GLBA guidelines.\n the board (or its designated committee).\n Support and Delivery                       Help Section Q4d \xe2\x80\x93 Controls over computer output\n 4d. Is computer output (printouts,         must meet the requirements of Section 501(b) of the\n microfiche, optical disks, etc.)           Gramm-Leach-Bliley Act.\n adequately controlled and disposed of?\n Source: OIG Analysis and DSC IT General Work Program.\n\n\n\n\n                                                  19\n\x0cTable 6 illustrates IT General Work Program procedures that relate to the standards for\nsafeguarding customer information but are not specifically identified in the procedures as related\nto GLBA.\n\nTable 6: Example of GLBA-Related Examination Procedures that Do Not Reference\nGLBA\n     IT General Work Program and                  Relates to GLBA Standards (Part 364) for\n        Examination Procedure                        Safeguarding Customer Information\n IT Policies                                Each bank shall: (1) identify internal and external\n 2.1d. Review written policies and          threats that could result in unauthorized disclosure,\n procedures and determine whether the       misuse, alteration, or destruction of customer data or\n following controls have been               customer information systems; (2) assess the\n considered.                                likelihood and potential damage of these threats,\n                                            taking into consideration the sensitivity of customer\n                                            information; and (3) assess the sufficiency of policies,\n                                            procedures, customer information systems, and other\n                                            arrangements in place to control risks.\n Vendor Management                          Each bank shall oversee service provider\n 2.2a. Does the bank have a vendor          arrangements.\n oversight program that includes\n analyzing financial statements and other\n reports on its significant vendor(s)\n and/or servicer(s)?\n Support and Delivery                       Each bank shall design its information security\n 4a. Is separation of duties and            program with security measures to include dual\n responsibilities adequate in the           control procedures, segregation of duties, and\n following areas\xe2\x80\xa6                           employee background checks for employees with\n                                            responsibilities for or access to customer information.\n Data and Physical Security                 Each bank shall design its information security\n 4.1i. Are adequate safeguards in effect    program with security measures to include access\n to ensure that only authorized personnel   restrictions at physical locations containing customer\n are permitted in the computer area?        information to permit access only to authorized\n                                            individuals.\n Source: OIG Analysis, DSC IT General Work Program, and FDIC Rules and Regulations Part 364, Appendix B.\n\n\nWithout specific procedures designated as addressing GLBA, the DSC cannot be assured that\nexaminers will consider all relevant examination procedures in assessing a financial institution\xe2\x80\x99s\ncompliance with standards for safeguarding customer information.\n\nIn regard to reporting a financial institution\xe2\x80\x99s compliance with standards for safeguarding\ncustomer informa tion, we noted disparities in DSC\xe2\x80\x99s examination reporting guidance. DSC\xe2\x80\x99s\nguidance for its new risk- focused IT examination procedures (RDM 2002-043) does not identify\nthe standards for safeguarding customer information reporting requirements. However, DSC\nguidance (RDM 2001-032), which is still in effect, instructs examiners to note material instances\nof noncompliance in the report of examination. We also noted that regional DSC guidance\nvaried from instructing examiners to report levels of compliance to instructing examiners to\nreport on instances of noncompliance. Table 7 illustrates the different reporting guidelines.\n\n\n\n                                                   20\n\x0cTable 7: DSC\xe2\x80\x99s Guidelines on GLBA Reporting\n        Guidelines                                        Reporting Instructions\nRDM 2001-032:                  Material instances of non-compliance should be noted in the report of\nExamination Procedures to      examination and discussed with bank management. Serious weaknesses\nEvaluate Customer              and management\xe2\x80\x99s response should be documented where appropriate in\nInformation Safeguards.        the report of examination (i.e., the risk management pages, the\n                               Examination Conclusions and Comments page, and the Apparent\n                               Violations page).\nRegion 1. Memorandum           In addition to including an introductory paragraph related to a review of\nfrom Regional Director to      safeguarding customer information, each report must address the bank\xe2\x80\x99s\nExaminers and Assistant        compliance with the provisions of section 501(b) of GLBA and\nExaminers.                     Appendix B. The length of the report comment is expected to vary based\n                               on the size and complexity of the institution being examined and the\n                               number of section 501(b) of GLBA and Appendix B exceptions. In\n                               institutions where management is well aware of the GLBA requirements,\n                               and is in full compliance, the comment need only state that compliance\n                               with GLBA was reviewed and that the bank is in compliance with all\n                               requirements.\nRegion 2. Memorandum           When a bank has an acceptable program for the safeguarding of customer\nfrom Regional Director to      information and no material findings are noted, such cases include a brief\nDSC Risk Management            overview of the program in the confidential section of the Report. If the\nExaminers, Assistant           program has minor deficiencies, a comment \xe2\x80\x98recommending that the bank\nExaminers and Professional     review the Interagency Guidelines Establishing Standards for\nStaff.                         Safeguarding Customer Information (Appendix B to Part 364 of the FDIC\n                               Rules and Regulations)\xe2\x80\x99 may be appropriate. When findings are\n                               sufficiently deficient, they should be placed on the examination\n                               conclusions and supporting pages of the IT Report of Examination.\nRegion 3. Memorandum           Examiners should continue to assess compliance with the Guidelines at all\nfrom Regional Director to      Safety and Soundness and/or Information Technology examinations.\nField Examiners and            Weaknesses should generally be documented in the Information\nRegional Office Professional   Technology Assessment pages; however, material instances of non-\nStaff.                         compliance may be detailed on the Violations page as a Contravention of\n                               Part 364, Appendix B. Material instances of non-compliance should also\n                               be brought forward to the Risk Management and Examination\n                               Conclusions and Comments pages, where appropriate.\nSource: RDM 2001-032 and Regional Guidance.\n\nDSC issued RDM 2001-045, Revised Report of Examination, on October 11, 2001, as guidance\nfor examiners to use in preparing reports of examination. DSC has taken the position that the\nreport of examination in and of itself constitutes adequate documentation of the work performed\nand provides the basis for conclusions reached. Further, DSC officials stated that the report of\nexamination has been the primary basis and support for legal proceedings. Additionally, the\nDOS [Division of Supervision] Manual of Examination Policies recognizes that the report of\nexamination generally serves as the FDIC\xe2\x80\x99s primary evidentiary exhibit in formal administrative\nactions. For these reasons, consistency in reporting on compliance with GLBA Title V privacy\nprovisions is important.\n\n\n\n\n                                                  21\n\x0cCONCLUSIONS AND RECOMMENDATIONS\n\nAlthough the FDIC has made progress in implementing the GLBA\xe2\x80\x99s Title V provisions related to\nsafeguarding customer information and privacy notice requirements, the FDIC could take\nadditional steps to help ensure full implementation of the GLBA Title V privacy provisions. To\nensure that financial institutions have policies, procedures, and controls in place to prevent the\nunauthorized disclosure of customer financial information and to deter and detect fraudulent\naccess to such information (Subtitle B), DSC needs to identify specific procedures in its\nexamination work programs for examiners to assess the financial institutions\xe2\x80\x99 compliance with\nguidance on protecting customer information against identity theft. To promote consistency in\nassessing and reporting on a financial institution\xe2\x80\x99s compliance with standards for safeguarding\ncustomer information (Subtitle A), DSC should identify the specific procedures in the IT General\nWork Program that are designed to assess compliance with the safeguarding standards. Further,\nDSC should standardize its guidance related to reporting the results of evaluating a financial\ninstitution\xe2\x80\x99s compliance with the standards for safeguarding customer information.\n\nWe recommend the Director, DSC:\n\n (1) Modify examination procedures to identify steps for assessing financial institutions\xe2\x80\x99\n     compliance with GLBA Title V, Subtitle B, provisions intended to prevent the\n     unauthorized disclosure of customer financial information and to deter and detect\n     fraudulent access to such information.\n\n (2) Include in the IT General Work Program (a) procedures for summarizing the work\n     performed in the area of GLBA Title V, Subtitle A, provisions for safeguarding customer\n     information and (b) references to the specific procedures that examiners should consider\n     when assessing compliance with those provisions.\n\n (3) Issue guidance to be used by all regions regarding the manner in which a financial\n     institution\xe2\x80\x99s compliance with standards for safeguarding customer information is addressed\n     in a report of examination.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nThe Director, DSC, provided a written response, dated September 24, 2003, to a draft of this\nreport. DSC\xe2\x80\x99s response is presented in its entirety in Appendix IV to this report. We also had\nsubsequent discussions with DSC staff to clarify aspects of the written response.\n\nDSC concurred with recommendations 1 and 3. DSC partially concurred with recommendation\n2, but presented an alternative corrective action that addresses the intent of this recommendation.\nSpecifically, DSC agreed with the intent of recommendation 2 but stated that the IT General\nWork Program was purposely written in general terms to serve as an all- inclusive document that\nreplaced several existing IT work programs, including examination procedures to evaluate\ncustomer information safeguards. To address this recommendation, DSC agreed to issue\nguidance to examiners in the form of an RDM that will identify specific procedures that\n\n\n                                                22\n\x0cexaminers should consider when assessing compliance with GLBA Title V, Subtitle A,\nprovisions and procedures for summarizing the work performed in this area. DSC stated that the\nRDM will be issued by December 31, 2003.\n\nDSC\xe2\x80\x99s comments were responsive, and DSC\xe2\x80\x99s proposed actions are sufficient to resolve the\nrecommendations. The recommendations will remain undispositioned and open for reporting\npurposes until we have determined that agreed-to corrective actions have been completed and are\neffective. Appendix V presents a summary table showing DSC\xe2\x80\x99s responses to our three\nrecommendations.\n\n\n\n\n                                              23\n\x0c                                                                                     APPENDIX I\n\n\n\n                       OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of our evaluation was to determine whether DSC has made reasonable progress in\nimplementing Title V privacy provisions of the GLBA. This evaluation addressed both\nSubtitle A \xe2\x80\x93 Disclosure of Nonp ublic Personal Information and Subtitle B \xe2\x80\x93 Fraudulent Access\nto Financial Information.\n\nTo accomplish our objective, we performed the following work:\n\n\xe2\x80\xa2   Identified and reviewed laws, regulations, guidance, and procedures related to the FDIC\xe2\x80\x99s\n    responsibilities in the area of consumer financial privacy in order to gain an understanding of\n    FDIC\xe2\x80\x99s responsibilities in implementing GLBA Title V provisions and DSC\xe2\x80\x99s approach to\n    conducting examinations of financial institutions\xe2\x80\x99 compliance with consumer privacy\n    requirements.\n\n     1. Gramm- Leach-Bliley Act of 1999, Title V -- Privacy.\n     2. Federal Deposit Insurance Act, Section 8.\n     3. FDIC Rules and Regulations, Part 334 Proposed Rule, Fair Credit Reporting\n        Regulations.\n     4. FDIC Rules and Regulations, Part 332, Privacy of Consumer Financial Information.\n     5. FDIC Rules and Regulations, Part 364, Standards for Safety and Soundness,\n        Appendix B, Interagency Guidelines Establishing Standards for Safeguarding Customer\n        Information.\n     6. FDIC Rules and Regulations, Part 308, Subpart R, Submission and Review of Safety and\n        Soundness Compliance Plans and Issuance of Orders to Correct Safety and Soundness\n        Deficiencies.\n     7. DSC Regional Directors Memorandum (RDM) 2001-032, dated August 28, 2001,\n        entitled Examination Procedures to Evaluate Customer Information Safeguards.\n     8. RDM 2002-043, dated September 30, 2002, entitled Information Technology Maximum\n        Efficiency, Risk-Focused, Institution Targeted (IT-MERIT); and IT General Work\n        Program Guidelines.\n     9. RDM 2001-045, dated October 11, 2001, entitled Revised Report of Examination.\n    10. Division of Compliance and Consumer Affairs (DCA) Director\xe2\x80\x99s Memorandum\n        DCA 01-002, dated May 18, 2001, entitled Interagency Examination Procedures for\n        Reviewing Compliance with Part 332 \xe2\x80\x93 Privacy of Consumer Financial Information.\n    11. DSC Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard\n        Customer Information Safeguards, as of August 28, 2001.\n    12. DSC IT Examination Procedures as of September 30, 2002, including: (a) Integrated\n        Examination Guidelines, (b) Technology Profile Script, (c) IT Examination\n        Questionnaire, (d) Request List, (e) IT-MERIT Examination Procedures, and (f) IT\n        General Work Program.\n    13. Interagency Examination Procedures for Reviewing Compliance with Part 332 \xe2\x80\x93 Privacy\n        of Consumer Financial Information.\n\n\n\n\n                                                24\n\x0c                                                                                   APPENDIX I\n\n\n\xe2\x80\xa2   Coordinated with FDIC OIG Counsel\xe2\x80\x99s office to obtain a legal review or interpretation\n    regarding: (1) evaluation approach; (2) our Summary Crosswalk of GLBA Title V\n    Provisions to FDIC Rules and Regulations and FDIC Examination Procedures and related\n    crosswalks; and (3) Subtitle B requirements.\n\n\xe2\x80\xa2   Reviewed Financial Institution Letters related to GLBA consumer privacy matters to gain an\n    understanding of GLBA Title V requirements for federal banking regulators and financial\n    institutions.\n\n\xe2\x80\xa2   Interviewed DSC officials in Washington, D.C., who are responsible for implementing\n    DSC\xe2\x80\x99s IT and compliance examination approaches for consumer privacy. We interviewed\n    DSC officials in three FDIC regional offices in San Francisco, Chicago, and Dallas/Memphis\n    who are responsible for implementing DSC\xe2\x80\x99s IT examination procedures related to consumer\n    privacy.\n\n\xe2\x80\xa2   To verify implementation of DSC\xe2\x80\x99s examination procedures to assess financial institutions\xe2\x80\x99\n    compliance with the standards for safeguarding customer information, we reviewed\n    examinatio n workpapers for 11 sampled IT examinations. The sample of IT examinations\n    was selected by another OIG Corporate Evaluations team performing the evaluation of\n    Business Continuity at FDIC Supervised Institutions (Assignment Number 2003-006). Due\n    to the common focus of both evaluations, i.e., the IT examination process and the timing of\n    both assignments, we used the sample of IT examinations selected by the team conducting\n    the business continuity evaluation.\n\n\xe2\x80\xa2   The sample focused on IT examinations that started after January 1, 2003 and ended before\n    May 22, 2003 in order to capture IT examinations that were conducted after issuance of the\n    revised IT examination guidelines in September 2002. Two exceptions to this scope were:\n    (1) an IT examination that was conducted in 2002, but had a related \xe2\x80\x9cvisitation\xe2\x80\x9d in 2003; and\n    (2) a Multi-Regional Data Processing Servicer (MDPS) examination that was performed in\n    May 2002. This May 2002 MDPS examination was selected because it was the most recent\n    MDPS examination for which the FDIC was the lead agency. To gain an understanding of\n    the relative differences in DSC\xe2\x80\x99s approach, the team conducting the business continuity\n    evaluation judgmentally selected IT examinations for institutions that were located in large\n    metropolitan areas with various asset sizes and complexities.\n\n    Our sample was composed of the following:\n\n                                              NUMBER OF SAMPLED\n                              TYPE               INSTITUTIONS\n                       I                               1\n                       II                              1\n                       III                             4\n                       IV                              2\n                       Data Processing\n                       Servicers                           2\n                       Visitation                          1\n\n\n\n                                               25\n\x0c                                                                                       APPENDIX I\n\n\n\xe2\x80\xa2      For the sampled examinations, we reviewed, when available, the following documents in the\n       examination workpapers:\n\n           o    Report of Examination.\n           o    Technology Profile Script.\n           o    IT Examination Questionnaire.\n           o    Request Lists and Entry Letter.\n           o    Pre-examination planning memorandum.\n           o    On-site examination procedures and work programs used and examiner\xe2\x80\x99s\n                documentation of work performed.\n\n\xe2\x80\xa2      We interviewed the Examiner-in-Charge (EIC) for each of the sampled examinations to\n       obtain an understanding of procedures performed to assess the financial institutions\xe2\x80\x99\n       compliance with standards for safeguarding customer information.\n\n\xe2\x80\xa2      We performed a cursory review of the workpapers related to the examination that was\n       performed in 2002, but had a related \xe2\x80\x9cvisitation\xe2\x80\x9d in 2003. We reviewed the workpapers\n       related to GLBA to determine which procedures were performed in 2002 and at the\n       visitation. In addition, we contacted the EIC for this visitation and asked the standard\n       questions we asked of the other EICs.\n\n\xe2\x80\xa2      We gained an understanding of the management control activities associated with the\n       implementation of GLBA Title V by reviewing DSC\xe2\x80\x99s examination procedures and through\n       interviews with DSC management and EICs. Our testing of FDIC\xe2\x80\x99s compliance with laws\n       and regulations was limited to those sections of GLBA Title V applicable to the FDIC. We\n       developed a crosswalk between GLBA Title V and FDIC Rules and Regulations, and DSC\xe2\x80\x99s\n       examination policies and procedures. We did not test for fraud or illegal acts or determine\n       the reliability of computer-processed data obtained from the FDIC\xe2\x80\x99s computerized systems.\n\n\xe2\x80\xa2      Our work to address the Government Performance and Results Act 19 included reviewing the\n       FDIC 2001-2006 Strategic Plan to identify any goals related to GLBA Title V -- Privacy.\n       We also reviewed the FDIC\xe2\x80\x99s 2003 Annual Performance Plan, in particular, the plan for the\n       Supervision Program, to identify strategic goals, objectives, or annual performance goals that\n       relate directly to GLBA privacy. The 2001-2006 Strategic Plan and the 2003 Annual\n       Performance Plan included the strategic goal: \xe2\x80\x9cConsumers\xe2\x80\x99 rights are protected and FDIC\n       supervised institutions invest in their communities.\xe2\x80\x9d However, we did not identify specific\n       goals or objectives that mentioned GLBA Title V -- Privacy provisions.\n\nWe performed field work in the DSC headquarters in Washington, D.C.; San Francisco Regional\nOffice; Chicago Regional Office; and Memphis Regional Office. We conducted our evaluation\nfrom April 2003 through August 2003, in accordance with generally accepted government\nauditing standards.\n\n\n\n19\n     Pub. L. No. 103-62, codified in titles 5, 31, and 39, U.S.C.\n\n\n                                                             26\n\x0c                                                               APPENDIX II\n\n\n\n                  ACRONYMS USED IN REPORT\n\n\nBSA       Bank Secrecy Act\n\nDCA       Division of Compliance and Consumer Affairs\n\nDSC       Division of Supervision and Consumer Protection\n\nED        Examination Documentation\n\nEIC       Examiner-In-Charge\n\nFCRA      Fair Credit Reporting Act\n\nFDI Act   Federal Deposit Insurance Act\n\nFDIC      Federal Deposit Insurance Corporation\n\nFFIEC     Federal Financial Institutions Examination Council\n\nFIL       Financial Institution Letter\n\nFTC       Federal Trade Commission\n\nGAO       General Accounting Office\n\nGLBA      Gramm- Leach-Bliley Act of 1999\n\nH.R.      U.S. House of Representatives\n\nICRS      Internal Control and Review Section\n\nIT        Information Technology\n\nMDPS      Multi- Regional Data Processing Servicer\n\nOIG       Office of Inspector General\n\nRDM       Regional Directors Memorandum\n\nSAR       Suspicious Activity Report\n\n\n\n\n                                    27\n\x0c                                                                                                                                 APPENDIX III\n\n\n                                 SUMMARY CROSSWALK OF GLBA TITLE V PROVISIONS TO\n                                 FDIC RULES AND REGULATIONS AND FDIC PROCEDURES\n\n   GLBA Title V Section                FDIC Rules and              Financial Institution Letters (FIL) and/or DSC Examination\n   Number and Heading                   Regulations                         Procedures (OIG Comments are in Bold)\n\n                                     Subtitle A \xe2\x80\x93 Disclosure of Nonpublic Personal Information\n501. Protection of Nonpublic Personal Information.\n501(a) Privacy Policy.            [Financial Institution       [Financial Institution Responsibility]\n                                  Responsibility]\n501(b) Financia l Institutions    Part 364, Standards for      FIL-22-2001, Guidelines Establishing Standards for Safeguarding Customer\nSafeguards.                       Safety and Soundness,        Information, dated March 14, 2001, describes the agencies\xe2\x80\x99 expectations for a\n                                  Appendix B \xe2\x80\x93 Interagency     financial institution to create, implement, and maintain an information security\n                                  Guidelines Establishing      program that includes administrative, technical, and physical safeguards\n                                  Standards for Safeguarding   appropriate to the size and complexity of the financial institution and the\n                                  Customer Information.        nature and scope of its activities.\n                                                               FIL-68-2001, Examination Procedures to Evaluate Customer Information\n                                                               Safeguards, dated August 24, 2001, provided financial institutions the\n                                                               examination procedures to assist them in their compliance efforts.\n                                                               RDM 2001-032, Examination Procedures to Evaluate Customer Information\n                                                               Safeguards, issued by the FDIC on August 28, 2001, to distribute examination\n                                                               procedures to determine compliance with Appendix B to Part 364.\n                                                               FIL-118-2002, New Examination Procedures for Assessing Information\n                                                               Technology Risk , dated October 9, 2002, announced new examination\n                                                               procedures for assessing information technology (IT) risk.\n\n\n\n\n                                                                   28\n\x0c                                                                                                                                 APPENDIX III\n\n\n   GLBA Title V Section               FDIC Rules and               Financial Institution Letters (FIL) and/or DSC Examination\n   Number and Heading                  Regulations                          Procedures (OIG Comments are in Bold)\n                                                               RDM 2002-043, Information Technology Maximum Efficiency, Risk-Focused,\n                                                               Institution Targeted (IT-MERIT); and IT General Work Program Guidelines,\n                                                               issued by the FDIC on September 30, 2002:\n                                                                   \xe2\x80\xa2    IT-MERIT procedures used for banks with the least technology risk.\n                                                                   \xe2\x80\xa2    IT General Work Program used for banks with low to moderate\n                                                                        technology risk.\n                                                                   \xe2\x80\xa2    IT General Work Program supplemented with FFIEC Work Programs\n                                                                        used for banks having fully integrated networking into their\n                                                                        operations.\n                                                                   \xe2\x80\xa2   FFIEC Work Programs used for banks relying upon networks and\n                                                                       other communication systems as a critical element of their operations.\n                                                               FIL-11-2003, New Information Security Guidance for Examiners and\n                                                               Financial Institutions, dated February 12, 2003, describes the new FFIEC\n                                                               booklet with revised guidance for identifying institutions\' information security\n                                                               risks and evaluating their risk-management practices.\n\n\n502. Obligations with Respect to Disclosures of Personal Information.\n502(a) Notice Requirements.      Part 332, Privacy of          FIL-34-2000, Final Rule on the Privacy of Consumers\' Financial Information,\n                                 Consumer Financial            dated June 5, 2000, notified financial institutions of the issuance of the final\n                                 Information.                  rule on the privacy of consumers\' financial information.\n                                 Section 332.1(a) Purpose      FIL-3-2001, FDIC Creates Privacy Rule Handbook to Assist Banks With\n                                 and scope                     Compliance, dated January 22, 2001, provided a Privacy Rule Handbook ,\n                                                               produced by the FDIC, to help financial institutions comply with the final rule\n                                 \xe2\x80\xa2   Requires a financial      governing the privacy of consumer financial information and implement\n                                     institution to provide    effective consumer privacy policies.\n                                     notice to customers\n                                     about its privacy         FIL-46-2001, FFIEC Compliance Examination Procedures for Part 332 \xe2\x80\x93\n                                     policies and practices.   \xe2\x80\x9cPrivacy of Consumer Financial Information,\xe2\x80\x9d dated May 17, 2001,\n                                                               announced FFIEC-developed examination procedures to be used to review\n\n                                                                   29\n\x0c                                                                                                                        APPENDIX III\n\n\nGLBA Title V Section       FDIC Rules and                Financial Institution Letters (FIL) and/or DSC Examination\nNumber and Heading          Regulations                           Procedures (OIG Comments are in Bold)\n                                                     supervised financial institutions for compliance with the agencies\xe2\x80\x99 regulation\n                                                     on Privacy of Consumer Information.\n\n                       \xe2\x80\xa2   Describes the             FDIC\xe2\x80\x99s Division of Compliance and Consumer Affairs (DCA) issued a\n                           conditions under which    memorandum (Transmittal No. DCA 01-002) on May 18, 2001, to all DCA\n                           a financial institution   staff distributing the approved examination procedures developed by the\n                           may disclose nonpublic    FFIEC. FFIEC procedures were effective for compliance examinations\n                           personal information      beginning after July 1, 2001.\n                           about consumers to            \xe2\x80\xa2    FFIEC\xe2\x80\x99s examination procedures include steps to: identify the\n                           nonaffiliated third                financial institution\xe2\x80\x99s information sharing practices with affiliates and\n                           parties.                           nonaffiliated third parties; determine how the institution treats\n                       \xe2\x80\xa2   Provides a method for              nonpublic personal information; and determine the manner in which\n                           consumers to prevent a             the institution administers its opt-out rules. Depending on the\n                           financial institution              institution\xe2\x80\x99s information-sharing practices, examiners are directed to\n                           from disclosing that               complete various modules within the procedures. There are six\n                           information to most                modules. The procedures include an examination checklist containing\n                           nonaffiliated third                50 questions designated for \xe2\x80\x9cYes/No\xe2\x80\x9d responses.\n                           parties by \xe2\x80\x9copting out\xe2\x80\x9d\n                           of that disclosure,       FIL-73-2001, Federal Financial Institutions Examination Council CD-ROM\n                                                     on Financial Privacy and Information Security, dated August 29, 2001,\n                           subject to exceptions.\n                                                     distributed a CD-ROM that contained 12 multimedia presentations with audio\n                                                     accompaniment addressing consumer financial privacy, including all aspects\n                                                     of the new privacy rule and the 501(b) security guidelines.\n                                                     FIL-106-2001, Frequently Asked Questions for the Privacy Regulation, dated\n                                                     December 20, 2001, developed with the other federal financial institution\n                                                     regulatory agencies, was issued as answers to "frequently asked questions" that\n                                                     represent clarifications and interpretations of the final rule governing the\n                                                     privacy of consumer financial information.\n\n\n\n\n                                                         30\n\x0c                                                                                                                  APPENDIX III\n\n\n   GLBA Title V Section           FDIC Rules and                Financial Institution Letters (FIL) and/or DSC Examination\n   Number and Heading              Regulations                           Procedures (OIG Comments are in Bold)\n502(b) Opt Out.              Section 332.7 Form of opt      FFIEC Procedures, Part A and Module 1.\n                             out notice to consumers; opt\n                             out methods.\n                             Section 332.9 Delivering\n                             privacy and opt out notices.\n                             Section 332.13 Exception to\n                             opt out requirements for\n                             service providers and joint\n                             marketing.\n                             Section 332.15 Other\n                             exceptions to notice and opt\n                             out requirements.\n502(c) Limits on Reuse of    Section 332.11 Limits on       FFIEC Procedures, Part A and Modules 4 and 5.\nInformation.                 redisclosure and reuse of\n                             information.\n502(d) Limitations on the    Section 332.12 Limits on       FFIEC Procedures, Part A and Module 6.\nSharing of Account Number    Sharing account number\nInformation for Marketing    information for marketing\nPurposes.                    purposes.\n502(e) General Exceptions.   Section 332.14 Exceptions      FFIEC Procedures, Part A and Module 1.\n                             to notice and opt out\n                             requirements for processing\n                             and servicing transactions.\n                             Section 332.15 Other\n                             exceptions to notice and opt\n                             out requirements.\n\n\n\n\n                                                                31\n\x0c                                                                                                                              APPENDIX III\n\n\n   GLBA Title V Section                FDIC Rules and                 Financial Institution Letters (FIL) and/or DSC Examination\n   Number and Heading                   Regulations                            Procedures (OIG Comments are in Bold)\n503. Disclosure of Institution Privacy Policy.\n503(a) Disclosure Required.       Section 332.4 Initial privacy   FFIEC Procedures, Part A and Module 1.\n                                  notice to consumers\n                                  required.\n                                  Section 332.5 Annual\n                                  privacy notice to customers\n                                  required.\n                                  Section 332.8 Revised\n                                  Privacy Notices.\n                                  Section 332.9 Delivering\n                                  privacy and opt out notices.\n503(b) Information To Be          Section 332.6 Information to    FFIEC Procedures, Part A and Module 1.\nIncluded.                         be included in privacy\n                                  notices.\n504. Rulemaking.\n504(a) Regulatory Authority.      Part 364, Appendix B,\n                                  Interagency Guidelines\n                                  Establishing Standards for\n                                  Safeguarding Customer\n                                  Information.\n                                  Part 332 Privacy of\n                                  Consumer Financial\n                                  Information.\n                                  Part 334 Fair Credit\n                                  Reporting (proposed).\n504(b) Authority To Grant         Not Applicable                  The regulations do not prescribe any \xe2\x80\x9cadditional exceptions\xe2\x80\x9d to\nExceptions.                                                       subsection (a) through (d) of section 502.\n\n                                                                      32\n\x0c                                                                                                                                APPENDIX III\n\n\n   GLBA Title V Section                FDIC Rules and               Financial Institution Letters (FIL) and/or DSC Examination\n   Number and Heading                   Regulations                          Procedures (OIG Comments are in Bold)\n505. Enforcement\n505(a) In General.                 Not Applicable \xe2\x80\x93 Covered\n                                   under Section 8 of the FDI\n                                   Act.\n505(b) Enforcement of Section      Section 364.101(b); Part\n501.                               364, Appendix B.\n                                   Interagency Guidelines\n                                   Establishing Standards for\n                                   Safeguarding Customer\n                                   Information.\n                                   Part 308, Subpart R,\n                                   Submission and Review of\n                                   Safety and Soundness\n                                   Compliance Plans and\n                                   Issuance of Orders to\n                                   Correct Safety and\n                                   Soundness Deficiencies.\n505(c) Absence of State Action.    Not Applicable\n505(d) Definitions.                Not Applicable\n506. Protection of Fair Credit Reporting Act.\n506(a) Amendment.--Section         Part 334 \xe2\x80\x93 Fair Credit       The authority of the federal financial institution regulatory agencies to\n621 of the Fair Credit Reporting   Reporting.                   conduct routine examinations for compliance with the Fair Credit\nAct (15 U.S.C. 1681s) is           The banking regulators       Reporting Act (FCRA) is restored.\namended.                           anticipate issuing a new\n                                   proposed rulemaking for\n                                   public comments, due to      Division of Compliance and Consumer Affairs Memorandum Transmittal\n                                   comments being received on   Number DCA-00-009, Revised Interagency Examination Procedures for the\n                                   the October 20, 2000         Fair Credit Reporting Act, directs the resumption of routine examinations for\n                                   proposal.                    compliance with the FCRA.\n\n                                                                    33\n\x0c                                                                                                                                 APPENDIX III\n\n\n   GLBA Title V Section                FDIC Rules and                Financial Institution Letters (FIL) and/or DSC Examination\n   Number and Heading                   Regulations                           Procedures (OIG Comments are in Bold)\n                                                                 Federal banking agencies shall jointly prescribe regulations as necessary\n                                                                 to carry out the purposes of FCRA with respect to financial institutions.\n                                                                 FIL-71-2000, Proposed Regulations Implementing the Fair Credit Reporting\n                                                                 Act, dated October 26, 2000. This FIL distributes the proposed rule, Part 334,\n                                                                 published in the Federal Register (Vol. 65, No. 204, dated October 20, 2000).\n                                                                 FIL-26-2001, Guidance on the Timing and Preparation of Privacy Notices to\n                                                                 Conform to Fair Credit Reporting Act Requirements, dated March 27, 2001.\n                                                                 This FIL provides guidance on a technical and timing aspect of the proposed\n                                                                 rule, Part 334.\n506(b) Conforming Amendment.      Not Applicable\n506(c) Relation to Other          Section 332.16 Protection of\nProvisions.                       Fair Credit Report Act.\n507. Relation to State Laws.\n507(a) In General.                Section 332.17 Relation to\n                                  State Laws.\n507(b) Greater Protection Under   Section 332.17 Relation to\nState Law.                        State Laws.\n508. Study of Information Sharing Among Financial Affiliates.\n508(a) In General.                Not Applicable\n508(b) Consultation.              Not Applicable\n508(c) Report.                    Not Applicable\n509. Definitions .\n                                  Part 364, Appendix B,\n                                  Section I.C. Definitions\n                                  Section 332.3 Definitions\n\n                                                                     34\n\x0c                                                                                                                                  APPENDIX III\n\n\n   GLBA Title V Section                 FDIC Rules and               Financial Institution Letters (FIL) and/or DSC Examination\n   Number and Heading                    Regulations                          Procedures (OIG Comments are in Bold)\n510. Effective Date.\n                                    Part 364, Appendix B,        FIL-68-2001, Examination Procedures to Evaluate Customer Information\n                                    Section III.G. Implement     Safeguards, dated August 24, 2001, stated that the effective date of the Section\n                                    the Standards                501(b) provisions was July 1, 2001.\n                                    Section 332.18 Effective     FIL-34-2000, Final Rule on the Privacy of Consumers\' Financial Information,\n                                    date; transition rule.       dated June 5, 2000, stated that the rule took effect on November 13, 2000, but\n                                                                 financial institutions had until July 1, 2001, to be in mandatory compliance\n                                                                 with the regulation.\n                                           Subtitle B \xe2\x80\x93 Fraudulent Access to Financial Information\n521. Privacy Protection for Customer Information of Financial Institutions.\n521(a) Prohibition on Obtaining     Not Applicable               FIL-39-2001, Guidance on Identity Theft and Pretext Calling, dated\nCustomer Information by False                                    May 9, 2001.\nPretenses.\n521(b) Prohibition on               Not Applicable               FIL-39-2001, Guidance on Identity Theft and Pretext Calling, dated\nSolicitation of a Person to                                      May 9, 2001.\nObtain Customer Information\nfrom Financial Institution under\nFalse Pretenses.\n\n\n\n521(c) Nonapplicability to Law      Not Applicable\nEnforcement Agencies.\n521(d) Nonapplicability to          Not Applicable\nFinancial Institutions in Certain\nCases.\n521(e) Nonapplicability to          Not Applicable\nInsurance Institutions for\nInvestigation of Insurance Fraud.\n\n                                                                     35\n\x0c                                                                                                                           APPENDIX III\n\n\n   GLBA Title V Section                FDIC Rules and            Financial Institution Letters (FIL) and/or DSC Examination\n   Number and Heading                   Regulations                       Procedures (OIG Comments are in Bold)\n521(f) Nonapplicability to        Not Applicable\nCertain Types of Customer\nInformation of Financial\nInstitutions.\n521(g) Nonapplicability to        Not Applic able\nCollection of Child Support\nJudgments.\n522. Administrative Enforcement.\n522(a) Enforcement by Federal     Not Applicable\nTrade Commission.\n522(b) Enforcement by Other       Not Applicable - Covered\nAgencies in Certain Cases.        under Section 8 of the\n                                  FDI Act.\n523. Criminal Penalty.\n523(a) In General.                Not Applicable             FIL-39-2001, Guidance on Identity Theft and Pretext Calling, dated\n                                                             May 9, 2001.\n\n\n523(b) Enhanced Penalty for       Not Applicable             FIL-39-2001, Guidance on Identity Theft and Pretext Calling, dated\nAggravated Cases.                                            May 9, 2001.\n524. Relation to State Laws.\n524(a) In General.                Not Applicable\n524(b) Greater Protection Under   Not Applicable\nState Law.\n\n\n\n\n                                                                 36\n\x0c                                                                                                                     APPENDIX III\n\n\n   GLBA Title V Section              FDIC Rules and       Financial Institution Letters (FIL) and/or DSC Examination\n   Number and Heading                 Regulations                  Procedures (OIG Comments are in Bold)\n525. Agency Guidance.\n                                 Not Applicable       FIL-39-2001, Guidance on Identity Theft and Pretext Calling, dated\n                                                      May 9, 2001, summarized federal laws regarding identity theft and pretext\n                                                      calling; discusses measures that banks can take to protect customer\n                                                      information; informs banks on how suspected criminal activity should be\n                                                      reported; highlights the importance of consumer education; and provides\n                                                      references for additional assistance.\n                                                      The FDIC has not issued specific examination procedures that address\n                                                      this provision. (Refer to Finding B .)\n526. Reports.\n526(a) Report to the Congress.   Not Applicable\n526(b) Annual Report by          Not Applicable\nAdministering Agencies.\n527. Definitions .\n                                 Not Applicable\n\n\n\n\n                                                          37\n\x0c                       APPENDIX IV\n\n\nCORPORATION COMMENTS\n\n\n\n\n         38\n\x0c     APPENDIX IV\n\n\n\n\n39\n\x0c     APPENDIX IV\n\n\n\n\n40\n\x0c                                                                                                                                                APPENDIX V\n\n\n                                           MANAGEMENT RESPONSES TO RECOMMENDATIONS\nThis table presents the management responses that have been made on recommendations in our report and the status of recommendations as\nof the date of report issuance. The information in this table is based on management\xe2\x80\x99s written response to our report (and subsequent\ncommunication with management representatives.)\n\n                                                                                                                                                   Open\n                                                                                                                      a                    b\n Rec.                                                                 Expected             Monetary       Resolved:       Dispositioned:            or\nNumber Corrective Action: Taken or Planned/Status                   Completion Date        Benefits       Yes or No         Yes or No             Closedc\n  1    Incorporate specific examination procedures into\n       the IT General Work Program for evaluating a                   March 31, 2004           none           Yes                No                Open\n       bank\xe2\x80\x99s compliance with the pretext calling\n       guidelines.\n  2    Issue guidance to examiners in the form of a\n       Regional Directors Memorandum that will\n       identify specific procedures relative to GLBA                December 31, 2003          none           Yes                No                Open\n       Title V, Subtitle A, that examiners should\n       consider and provide guidance for summarizing\n       the work performed.\n  3    Issue guidance to examiners as part of the\n       proposed Regional Directors Memorandum to be\n       issued in response to recommendation 2. The\n       memorandum will provide guidance regarding the               December 31, 2003          none           Yes                No                Open\n       manner in which a financial institution\xe2\x80\x99s\n       compliance with customer information safeguard\n       standards is addressed in a report of examination.\n\na\n    Resolved \xe2\x80\x93   (1) Management concurs with the recommendation and the planned corrective action is consistent with the recommendation.\n                 (2) Management does not concur with the recommendation but planned alternative action is acceptable to the OIG.\n                 (3) Management agrees to the OIG monetary benefits or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as\n                 management provides an amount.\nb\n  Dispositioned \xe2\x80\x93 The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved through\nimplementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the recommendation.\nc\n  Once the OIG dispositions the recommendation, it can then be closed.\n\n\n\n\n                                                                               41\n\x0c'